SELF
SELF files are a wrapper around encrypted ELF files. The encrypted header contains keys to decrypt each encrypted ELF program, which are decrypted and loaded individually. Because of this, a copy of the ELF headers and ELF program headers are stored in plain text next to the SCE header.
Authority ID
8 Bytes long. Located at offset 0x80 in SELF header.
sceAppMgrConvertVs0UserDrivePath checks the AuthId to limit mount points.
0x2800000000008000
only used by SceWebCore eboot.bin (NPXS10017 / NPXS10037 on 1.69-3.01, replaced later by SceWebKit).
0x2800000000008003
seen used by SceWebCore can access vs0:data/external/cert/
and vs0:data/external/webcore/
.
0x210000101CD20007
seen used by PSM can access vs0:data/external
and vs0:sys/external
.
Relocations
Relocations are stored within the PT_SCE_RELA segment.
Relocation entry format can be one of 10 types which is determined by the first 4 bits.
Format 0
Start | End | Description |
---|---|---|
0 | 3 | Entry format type set to 0 |
4 | 7 | Symbol segment index |
8 | 15 | Relocation type |
16 | 19 | Patch segment index |
20 | 27 | Second relocation type |
28 | 31 | Distance from offset (used for second relocation) |
32 | 63 | Addend |
64 | 95 | Offset |
Format 1
Start | End | Description |
---|---|---|
0 | 3 | Entry format type set to 1 |
4 | 7 | Symbol segment index |
8 | 15 | Relocation type |
16 | 19 | Patch segment index |
20 | 41 | Offset |
42 | 63 | Addend |
Format 2
Start | End | Description |
---|---|---|
0 | 3 | Entry format type set to 2 |
4 | 7 | Symbol segment index |
8 | 15 | Relocation type |
16 | 31 | Offset |
32 | 64 | Addend |
Format 3
Start | End | Description |
---|---|---|
0 | 3 | Entry format type set to 3 |
4 | 7 | Symbol segment index |
8 | 8 | Mode (ARM = 0, THUMB = 1) |
9 | 26 | Offset |
27 | 31 | Distance from offset |
32 | 64 | Addend |
Format 4
Start | End | Description |
---|---|---|
0 | 3 | Entry format type set to 4 |
4 | 26 | Offset |
27 | 31 | Distance from offset |
Format 5
Start | End | Description |
---|---|---|
0 | 3 | Entry format type set to 5 |
4 | 12 | Distance 1 |
13 | 17 | Distance 2 |
18 | 26 | Distance 3 |
27 | 31 | Distance 4 |
Format 6
Start | End | Description |
---|---|---|
0 | 3 | Entry format type set to 6 |
4 | 31 | Offset |
Format 7
Start | End | Description |
---|---|---|
0 | 3 | Entry format type set to 7 |
4 | 10 | Offset 1 |
11 | 17 | Offset 2 |
18 | 24 | Offset 3 |
25 | 31 | Offset 4 |
Format 8
Start | End | Description |
---|---|---|
0 | 3 | Entry format type set to 8 |
4 | 7 | Offset 1 |
8 | 11 | Offset 2 |
12 | 15 | Offset 3 |
16 | 19 | Offset 4 |
20 | 23 | Offset 5 |
24 | 27 | Offset 6 |
28 | 31 | Offset 7 |
Format 9
Start | End | Description |
---|---|---|
0 | 3 | Entry format type set to 9 |
4 | 5 | Offset 1 |
6 | 7 | Offset 2 |
8 | 9 | Offset 3 |
10 | 11 | Offset 4 |
12 | 13 | Offset 5 |
14 | 15 | Offset 6 |
16 | 17 | Offset 7 |
18 | 19 | Offset 8 |
20 | 21 | Offset 9 |
22 | 23 | Offset 10 |
24 | 25 | Offset 11 |
26 | 27 | Offset 12 |
28 | 29 | Offset 13 |
30 | 31 | Offset 14 |
Supported Relocation Codes (3.60)
Code | Description |
---|---|
0 | R_ARM_NONE |
2 | R_ARM_ABS32 |
3 | R_ARM_REL32 |
10 | R_ARM_THM_CALL |
28 | R_ARM_CALL |
29 | R_ARM_JUMP24 |
38 | R_ARM_TARGET1 (same as R_ARM_ABS32) |
40 | R_ARM_V4BX (same as R_ARM_NONE) |
41 | R_ARM_TARGET2 (same as R_ARM_REL32) |
42 | R_ARM_PREL31 |
43 | R_ARM_MOVW_ABS_NC |
44 | R_ARM_MOVT_ABS |
47 | R_ARM_THM_MOVW_ABS_NC |
48 | R_ARM_THM_MOVT_ABS |
Encryption
SELF, PRX and Update Packages are all encrypted using the exact same algorithm, while SELF are hashed and signed (signature is RSA based), this section only focuses on the encryption layer itself.
- Step 1
The first step uses a static key and IV contained within a relevant Secure Module; for example update package keys are located in update_service_sm.self while kernel prx keys are located in kprx_auth_sm.self (or, for secure module themselves as well as kernel_boot_loader.self, inside secure_kernel.enp).
The initial step decrypts the first 0x40 bytes of the self metadata using AES256CBC, this results into the key and IV used in step 2
- Step 2
The second step uses the key and iv decrypted from the first 0x40 bytes of the metadata to decrypt the rest of the metadata using AES128CBC.
- Step 3
The SELF metadata is typically stored in this format (below is the metadata example for a 4 sections self): Update packages metadata follows the same principles but is slightly different (different MAGIC/Header)
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 0F F8 FF FF FF FF FF FF FA FF FF FF FB FF FF FF .øÿÿÿÿÿÿúÿÿÿûÿÿÿ 00000010 18 00 00 00 70 01 00 00 00 00 00 00 00 00 00 00 ....p........... 00000020 00 0A 00 00 00 00 00 00 C0 00 00 00 00 00 00 00 ........À....... <<< First section address 00000030 02 00 00 00 01 00 00 00 06 00 00 00 00 00 00 00 ................ 00000040 03 00 00 00 04 00 00 00 05 00 00 00 01 00 00 00 ................ 00000050 00 0B 00 00 00 00 00 00 FC B4 07 00 00 00 00 00 ........ü´...... <<< Second section address 00000060 02 00 00 00 02 00 00 00 06 00 00 00 06 00 00 00 ................ 00000070 03 00 00 00 0A 00 00 00 0B 00 00 00 01 00 00 00 ................ 00000080 00 C0 07 00 00 00 00 00 98 1E 00 00 00 00 00 00 .À......˜....... <<< Third section address 00000090 02 00 00 00 03 00 00 00 06 00 00 00 0C 00 00 00 ................ 000000A0 03 00 00 00 10 00 00 00 11 00 00 00 01 00 00 00 ................ 000000B0 00 DF 07 00 00 00 00 00 9D BA 02 00 00 00 00 00 .ß.......º...... <<< Fourth section address 000000C0 02 00 00 00 04 00 00 00 06 00 00 00 12 00 00 00 ................ 000000D0 03 00 00 00 16 00 00 00 17 00 00 00 01 00 00 00 ................ 000000E0 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ªªªªªªªªªªªªªªªª <<< First Section Hash 000000F0 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ªªªªªªªªªªªªªªªª <<< First Section Hash 00000100 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00000110 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00000120 EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE îîîîîîîîîîîîîîîî <<< First Section random key 00000130 EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE îîîîîîîîîîîîîîîî <<< First Section random IV 00000140 BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB »»»»»»»»»»»»»»»» <<< Second Section Hash 00000150 BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB »»»»»»»»»»»»»»»» <<< Second Section Hash 00000160 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00000170 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00000180 EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE îîîîîîîîîîîîîîîî <<< Second Section random key 00000190 EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE îîîîîîîîîîîîîîîî <<< Second Section random IV 000001A0 CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ <<< Third Section Hash 000001B0 CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ <<< Third Section Hash 000001C0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 000001D0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 000001E0 EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE îîîîîîîîîîîîîîîî <<< Third Section random key 000001F0 EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE îîîîîîîîîîîîîîîî <<< Third Section random IV 00000200 DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ <<< Fourth Section Hash 00000210 DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ <<< Fourth Section Hash 00000220 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00000230 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00000240 EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE îîîîîîîîîîîîîîîî <<< Fourth Section random key 00000250 EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE îîîîîîîîîîîîîîîî <<< Fourth Section random IV 00000260 01 00 00 00 30 00 00 00 01 00 00 00 00 00 00 00 ....0........... 00000270 80 00 00 00 C0 00 F0 00 00 00 00 00 FF FF FF FF €...À.ð.....ÿÿÿÿ <<< Metadata end
Following the same principles, an update package metadata would look like this:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 00 02 00 00 00 00 00 00 05 00 00 00 03 00 00 00 ................ 00000010 0E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000020 00 03 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@....... 00000030 01 00 00 00 01 00 00 00 06 00 00 00 00 00 00 00 ................ 00000040 01 00 00 00 FF FF FF FF FF FF FF FF 01 00 00 00 ....ÿÿÿÿÿÿÿÿ.... 00000050 40 03 00 00 00 00 00 00 40 00 00 00 00 00 00 00 @.......@....... 00000060 02 00 00 00 02 00 00 00 06 00 00 00 04 00 00 00 ................ 00000070 01 00 00 00 FF FF FF FF FF FF FF FF 01 00 00 00 ....ÿÿÿÿÿÿÿÿ.... 00000080 80 03 00 00 00 00 00 00 00 00 80 00 00 00 00 00 €.........€..... 00000090 03 00 00 00 03 00 00 00 06 00 00 00 08 00 00 00 ................ 000000A0 03 00 00 00 0C 00 00 00 0D 00 00 00 01 00 00 00 ................ 000000B0 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ªªªªªªªªªªªªªªªª <<< Hash 000000C0 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ªªªªªªªªªªªªªªªª <<< Hash 000000D0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ <<< Random key 000000E0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ <<< Random IV 000000F0 BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB »»»»»»»»»»»»»»»» <<< Hash 00000100 BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB »»»»»»»»»»»»»»»» <<< Hash 00000110 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ <<< Random key 00000120 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ <<< Random IV 00000130 CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ <<< Hash 00000140 CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ <<< Hash 00000150 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ <<< Random key 00000160 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ <<< Random IV 00000170 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ <<< Random key 00000180 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ <<< Random IV
- Step 4
The last step uses the keys and ivs extracted from the metadata to decrypt their respective sections using AES128CTR.